cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3974
Views
0
Helpful
7
Replies

FEX port going into 'bpdu-guard-err-disable'

dontsellmydata
Level 1
Level 1

Hi,

 

I'm connecting a brand new out of the box Fortigate 60F to the N2K FEX in our ACI mini lab and after configuring the port in APIC it goes into an 'bpdu-guard-err-disable' state.

 

I know that FEX has bpdu guard on by default and you cannot disable it which is fine.

 

I'm confused as to why this is happening when I'm connecting a firewall that is in NAT (routed) mode and won't be sending any bpdu's. It's an eth port that I'm connecting from the firewall to the FEX to setup a management connection.

 

I'm getting a green link light on the FEX when patching but after configuring the port in APIC and creating a static access port in the EPG it puts the port into an error state.

 

1 Accepted Solution

Accepted Solutions

dontsellmydata
Level 1
Level 1

I figured it out. The problem wasn't on the ACI side.

 

On a Fortigate 60F interfaces 1-5 are configured into virtual switch called 'Internal'. This must have been sending BPDUs towards the FEX. Once I disabled the virtual switch everything worked.

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Not sure May FortiGate try to negotiate, since port is port-fast, try make a trunk port with the only VLAN allowed seeing if that fixes the issue?

 

example :

 

interface Ethernet100/1/1
switchport mode trunk
switchport trunk allowed vlan 1000

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

dontsellmydata
Level 1
Level 1

I've just noticed when looking at the port on CLI that it's saying 'switchport trunk' even though when configuring I'm selecting 'Access (802.1p)'.

 

Is there a reason as to why the FEX port would stay as a trunk port? I need it to behave like a regular access port.

In that case, remove the cable, default the port, make it as access port, 

 

there may be some config before (not sure)

 

can you post show run interface ether x/x/x also show interface ethe x/x/x

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

No ports are in use on the FEX currently. When looking at the FEX on the inventory tab in APIC I can see that every port is in an oper mode of trunk.

 

I'm not on site at the moment so cannot remove cables. Earlier I did try different ports on the FEX and the same happened.

 

leaf 101
interface ethernet 101/1/20
# policy-group UKGRNLFS101_IPG
switchport trunk native vlan 2000 tenant GG-Tenant application GG-App-Profile epg Client
exit
exit

Hi @dontsellmydata 

"Access (802.1p)" means that the interface is trunk, and the vlan you configured will be the untagged/native vlan. What you see is expected behavior.

 

Regarding the BPDU guard feature, this is enabled by default on FEX ports and cannot be removed.

It could be possible that what you are seeing is not because of BPDUs but because of MCP. Is your Forti connected to multiple interfaces of ACI?

Can you also share the following command from the leaf where FEX and err-disabled interface is located:

show mcp internal info global
show mcp internal info interface eth X/Y/Z

Stay safe,

Sergiu

dontsellmydata
Level 1
Level 1

I figured it out. The problem wasn't on the ACI side.

 

On a Fortigate 60F interfaces 1-5 are configured into virtual switch called 'Internal'. This must have been sending BPDUs towards the FEX. Once I disabled the virtual switch everything worked.

"Access (802.1p)"

@Sergiu.Daniluk   - missed this information on high level look - yes agreed.

 

@dontsellmydata   - Good iwas guessing it was from Fotigate, but we do not know physical side how they are connected. so i was suggesting different option, glad all good at end sorted. nice to know.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Save 25% on Day-2 Operations Add-On License